Thanks everyone for the feedback! )
After more research, I saw that the USB had two partitions, 1 allocated and 1 unallocated.
I presume it's free space on the partitions.
The dump was fine after all. Thanks for the support guys!
great regards,
UprisingFuture
Thanks everyone for the feedback! )
After more research, I saw that the USB had two partitions, 1 located and 1 unallocated.
I presume it's free space on the partitions.The dump was fine after all. Thanks for the support guys!
great regards,
UprisingFuture
I am not sure to understand this "unallocated partition".
A partition either exists (in the MBR partition table) or it doesn't.
Then an existing partition (in the MBR) can be formatted (to a given filesystem) or not.
Can you possibly share just the exact make/model and the partition table of the stick?
That would be bytes 446-509 of the MBR or first physical sector of the device.
This could help in determining whether the stick was "partitioned in factory" or "later fiddled with" (or both 😯 ).
Since you are in school, presumably wink studying computer science or digital forensics, as a side note and general advice for future use, you should be careful when using "I presume" in this field ) .
jaclaz
I am not sure to understand this "unallocated partition".
A partition either exists (in the MBR partition table) or it doesn't.
Then an existing partition (in the MBR) can be formatted (to a given filesystem) or not.Can you possibly share just the exact make/model and the partition table of the stick?
That would be bytes 446-509 of the MBR or first physical sector of the device.This could help in determining whether the stick was "partitioned in factory" or "later fiddled with" (or both 😯 ).
Since you are in school, presumably wink studying computer science or digital forensics, as a side note and general advice for future use, you should be careful when using "I presume" in this field ) .
jaclaz
It's a Sandisk Cruzer U of 16 GB and the partitions are Fat32 formatted.
Here a photo
If you want the exact partition table, can you please tell me how to search for it? I'm working with Autopsy 4.0.0.
I'm aware of the fact that I use "presume" P I'm studying digital forensics and I'm learning You never know something without gathering real facts, and when you've found the facts, you also don't know it for sure D Always set up hypothesis and such, never think, know it for sure!
The USB is related to a school project. I don't know ''the legal framework" yet. Am I allowed to share such information as a filetable to you when it was from an evidence unit in a "real" investigation??
Great regards,
UprisingFuture
If you want the exact partition table, can you please tell me how to search for it? I'm working with Autopsy 4.0.0.
That would be bytes 446-509 of the MBR or first physical sector of the device.
Please read the above as "you can use *any* disk editor or *any* dd-like program to get the first sector of the device and extract from it the relevant 64 bytes corresponding to the partition table".
And rest assured those 64 bytes would not contain "sensible information", they represent only a set of four addresses/allocated extents.
But the screenshot you posted clears the matter as well [1].
The tool you are using is (improperly) calling "vol" 1, 2, 3 some extents on the device, then tagging the only one "covered" by a partition table entry as "allocated" and tagging the other ones as "unallocated".
It is just a matter of semantics, the device has a single partition that is not as big as to cover the whole available sectors on the device.
Given it is a school project it would make more sense that the data on the stick are the result of a dd copy of an image, and thus the FF's are likely "intentional".
jaclaz
[1] And - as a side note - the sector view in the bottom part of the posted screenshot reveals a lot more info than the partitin table, now all the world knows 😯 that your stick has traces of a FAT32 volume in it, made by mkdosfs, labeled "GEHEIM", that - given that nomen est omen
https://
might contain interesting data wink .